1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Antiviruses stop searching or can't clean

Discussion in 'Malware and Virus Removal Archive' started by Stefan B, 2009/11/14.

Page 2 of 3
  1. 2009/12/02
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Hi and thank you.
    The last e-mail showed how determined you are to help me.



    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 12/02/2009 at 11:10 AM

    Application Version : 4.31.1000

    Core Rules Database Version : 4327
    Trace Rules Database Version: 2182

    Scan type : Complete Scan
    Total Scan Time : 01:41:19

    Memory items scanned : 404
    Memory threats detected : 0
    Registry items scanned : 5559
    Registry threats detected : 12
    File items scanned : 134624
    File threats detected : 2

    Trojan.Agent/Gen
    HKLM\Software\Classes\CLSID\{110B50F0-4954-4300-B71D-D4DE33922B3A}
    HKCR\CLSID\{110B50F0-4954-4300-B71D-D4DE33922B3A}
    HKCR\CLSID\{110B50F0-4954-4300-B71D-D4DE33922B3A}
    HKCR\CLSID\{110B50F0-4954-4300-B71D-D4DE33922B3A}\InprocServer32
    HKCR\CLSID\{110B50F0-4954-4300-B71D-D4DE33922B3A}\InprocServer32#ThreadingModel
    C:\SPYWAR~1.04\RNMENU.DLL
    C:\SPYWARE CLEANER 2009 V3.04\RNMENU.DLL

    Rogue.AntiSpywareXP2009
    HKLM\Software\AntiSpywareXP2009
    HKLM\Software\AntiSpywareXP2009#email3

    Rogue.Component/Trace
    HKLM\Software\Microsoft\D8622936
    HKLM\Software\Microsoft\D8622936#d8622936
    HKLM\Software\Microsoft\D8622936#Version
    HKLM\Software\Microsoft\D8622936#d86284b6
    HKLM\Software\Microsoft\D8622936#d862ed53


    ******************************************************************


    Malwarebytes' Anti-Malware 1.41
    Database version: 3275
    Windows 5.1.2600 Service Pack 2

    12/2/2009 1:20:01 PM
    mbam-log-2009-12-02 (13-20-01).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 289904
    Time elapsed: 50 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 7
    Files Infected: 136

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\RnSafe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Cleaner 2009 V3.04_is1 (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\avast!UpdateAgent.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_AVAST!UPDATEAGENT.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{110b50f0-4954-4300-b71d-d4de33922b3a} (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Documents and Settings\i b\Local Settings\Application Data\qip (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04 (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04 (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Quarantine (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\UP (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\UpTemp (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Spyware Cleaner 2009 V3.04\RnScan.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnHosts.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnJKC.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnRC.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnRecycel.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnRely.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSettings.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnTemp.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnUp.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnUpDate.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\SpywareCleaner.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\i b\Desktop\rnsetup.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Hosts Files Editor.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Junk Files Cleaner.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Manage Startup applications.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Registry Cleaner.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Spyware Cleaner 2009 V3.04 on the Web.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Spyware Cleaner 2009 V3.04.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Spyware Cleaner 2009 V3.04\Uninstall Spyware Cleaner 2009 V3.04.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnast.dar (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnaxs.sq (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnBr.dll (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rndes.asw (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rndth.st (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnel.bb (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnfi.bbi (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnFix1.reg (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnFix5.reg (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\rnig02.dst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnqiz.ba (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnrcp.bb (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnRec.dat (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnric.bb (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSafe.url (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSo1.bb (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSock1.reg (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSock2.reg (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnSock3.reg (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnStartup.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnTru.dat (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Rnwad.as (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\set.ini (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\unins000.dat (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\unins000.exe (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\up.rn (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\update.ini (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast103.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast104.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast105.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast106.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast107.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast108.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast109.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast110.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast111.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast112.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast113.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast114.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast115.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast116.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast117.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast118.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast119.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast120.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast121.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast122.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast123.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast124.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast125.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast126.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast127.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast128.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\ast129.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth009.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth010.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth011.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth012.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth013.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth014.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth015.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth016.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth017.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth018.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth019.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth020.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth021.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth022.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth023.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth024.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth025.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth026.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth027.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth028.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth029.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth030.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth031.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth032.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth033.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\dth034.rnt (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7005.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7006.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7007.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7008.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7009.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7010.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7011.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7012.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7013.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7014.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7015.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7016.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7017.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7018.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7019.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7020.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7021.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\el7022.rst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\f000129.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\f00129.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\f001290.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\f1290.rda (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3909.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3910.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3911.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3912.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3913.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3914.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3915.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3916.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3917.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\fi3918.ric (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\rnig03.dst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\Data\rnig04.dst (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Desktop\Spyware Cleaner 2009 V3.04.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Spyware Cleaner 2009 V3.04.lnk (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.
    C:\Spyware Cleaner 2009 V3.04\RnDrv.sys (Rogue.SpywareCleaner2009) -> Quarantined and deleted successfully.


    ******************************************************************


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:04:27 AM, on 11/25/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Infogate\CZone\Czone.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSHDLL32.EXE
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: C-zone.lnk = C:\Program Files\Infogate\C-zone.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Czone.lnk = C:\Program Files\Infogate\CZone\Czone.exe
    O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248936321140
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B928FF-7423-4F30-9112-5ED4945ADA23}: NameServer = 81.181.111.2,80.96.198.2
    O23 - Service: AGXWOM - Unknown owner - C:\DOCUME~1\IB0969~1\LOCALS~1\Temp\AGXWOM.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
    O23 - Service: Google Update Service (gupdate1ca0f9d77f7758e) (gupdate1ca0f9d77f7758e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 9208 bytes
     
    Stefan B,
    #21
  2. 2009/12/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
    broni,
    #22


  3. to hide this advert.

  4. 2009/12/03
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    I couldn't download Dr.Web from the address you sent me, nor from its site.
    Should I use other browser than Internet Explorer?
     
    Stefan B,
    #23
  5. 2009/12/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Maybe some temporary download site glitch.
    It's working now.
     
    broni,
    #24
  6. 2009/12/09
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Hi,
    This is the result of Dr.Web scan:


    FIND3M.bat;C:\ComboFix;Probably BATCH.Virus;;
    List-C.bat;C:\ComboFix;Probably BATCH.Virus;;
     
    Stefan B,
    #25
  7. 2009/12/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're supposed to uninstall Combofix...
    Delete Combofix manually....
    Delete Combofix, Qoobox folders,and Combofix.txt file from C:
    Delete Combofix from your desktop

    Please, post fresh HJT log.
     
    broni,
    #26
  8. 2009/12/10
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Forgive me, the application ComboFix was deleted from desktop , but I struggled to obtain Dr.Web (by a friend's network) and I forgot to examin the rest of the PC. The log file is this:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:04:27 AM, on 11/25/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Infogate\CZone\Czone.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Common\FSHDLL32.EXE
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: C-zone.lnk = C:\Program Files\Infogate\C-zone.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Czone.lnk = C:\Program Files\Infogate\CZone\Czone.exe
    O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248936321140
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B928FF-7423-4F30-9112-5ED4945ADA23}: NameServer = 81.181.111.2,80.96.198.2
    O23 - Service: AGXWOM - Unknown owner - C:\DOCUME~1\IB0969~1\LOCALS~1\Temp\AGXWOM.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
    O23 - Service: Google Update Service (gupdate1ca0f9d77f7758e) (gupdate1ca0f9d77f7758e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 9208 bytes
     
    Stefan B,
    #27
  9. 2009/12/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ===============================================================

    Please, uninstall Ask.com through Add\Remove (it may be called Ask Toolbar)

    ==============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    - O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    - O3 - Toolbar: Ask && Record Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    - O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    - O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    - O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    - O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


    5. Click on Fix checked button.

    6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

    7. Delete following files/folders (if present):
    - Ask.com and Ask & Record Toolbar folders from C:\Program Files
    Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.

    8. Go Start>Run (Vista users - "Start search "), type in:
    cmd
    Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).

    Command Prompt window will open.
    Type in:
    sc stop AGXWOM
    Press Enter.
    Wait for the service to be stopped.

    Type in:
    sc delete AGXWOM
    Press Enter.
    Wait for confirmation.


    9. Restart computer.

    10. Post new HijackThis log.
     
    broni,
    #28
  10. 2009/12/17
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Hi,
    This is the new log:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:36:57 PM, on 12/17/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Infogate\CZone\Czone.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSHDLL32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\i b\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\F-Secure\NRS\iescript\baselitmus.dll
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: C-zone.lnk = C:\Program Files\Infogate\C-zone.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Czone.lnk = C:\Program Files\Infogate\CZone\Czone.exe
    O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248936321140
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C8B928FF-7423-4F30-9112-5ED4945ADA23}: NameServer = 81.181.111.2,80.96.198.2
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
    O23 - Service: Google Update Service (gupdate1ca0f9d77f7758e) (gupdate1ca0f9d77f7758e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 7959 bytes
     
    Stefan B,
    #29
  11. 2009/12/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #30
  12. 2009/12/18
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Hi,
    It didn't work perfectly.


    "1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer. "


    When restarting, the computer stopped with the message "Windows is shutting down ".
     
    Stefan B,
    #31
  13. 2009/12/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    ...and?
     
    broni,
    #32
  14. 2009/12/20
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Well, I assumed the PC will shut down and restart all by itself, without my help. Or at least finishing what it said - "is shutting down ".
     
    Stefan B,
    #33
  15. 2009/12/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Shut it down manually, if you have to.
     
    broni,
    #34
  16. 2009/12/23
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Hi,
    I'm using Avira Personal - Free. I downloaded trial version of F-Secure and the trial period expires. I find it odd that when unloaded, F-Secure only permits unrestricted Internet access. When starting back the computer, it comes back as antivirus. Is this ok? The unloading has to be done in a different manner?
    During our conversations you taught me to download on my desktop some programs: SUPERAntiSpyware, RootkitRevealer, avenger, Malwarebytes' Anti-Malware, HijackThis, drweb-cureit, TFC. Is it an ideea to keep, on desktop or elseware, these programs? If negative, which ones should be deleted? If afirmative, when should I use each of them and how often? What may one or another bring more than my current free Avira?
    I set this last one a daily basis upload.
     
    Stefan B,
    #35
  17. 2009/12/23
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    I scanned my computer with Avira and this is the result:


    The file 'C:\Program Files\F-Secure\FSAUA\content\aquawin32\1261366718\cran.cvd'
    contained a virus or unwanted program 'Trivial-28 (A)' [virus]
    Action(s) taken:
    The file was moved to '4b905381.qua'!

    The file 'C:\Program Files\F-Secure\FSAUA\content\aquawin32\1261366718\cran.ivd'
    contained a virus or unwanted program 'HTML/Silly.Gen' [virus]
    Action(s) taken:
    The file was moved to '4ae1c632.qua'!


    The file 'C:\Documents and Settings\i b\Desktop\dds.pif'
    contained a virus or unwanted program 'HIDDENEXT/Crypted' [heuristic]
    Action(s) taken:
    The file was moved to '4ba25373.qua'!

    The file 'D:\OrCAD 9 Kit\Network\Hasp\NHSRVW32.EXE'
    contained a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan]
    Action(s) taken:
    The file was moved to '4b825357.qua'!

    The file 'C:\Program Files\F-Secure\FSAUA\content\aquawin32\1261366718\jpeg.xmd'
    contained a virus or unwanted program 'HTML/Infected.WebPage.Gen' [virus]
    Action(s) taken:
    The file was moved to '4b94537f.qua'!



    Where can I find any information about those destinations of unwanted programs?
     
    Stefan B,
    #36
  18. 2009/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Keepers:
    - Superantispyware and Malwarebytes - run scans on occasion, especially, if you feel, your computer misbehaves;
    - TFC - run it weekly
    The others can go.

    I'm not sure, what your question is...

    How is your computer doing overall?
     
    broni,
    #37
  19. 2009/12/24
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    The computer is doing very fine, thanks a lot for it. Avira did its job ok, without any stopping this time.

    The antivirus found unwanted programs and moved them to different *.qua destinations. My questions were about these .qua ones - they are ordinary files, they remain somewhere on pc or are deleted... Maybe I can find some answers only studying more of Avira?
     
    Stefan B,
    #38
  20. 2009/12/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Those files were moved to Avira's vault.
    Normally, as a precaution, keep it that way for a few days (just to make sure no computer vital files were removed). If computer works fine, empty the vault.

    Merry Christmas :)
     
    broni,
    #39
  21. 2010/01/04
    Stefan B

    Stefan B Inactive Thread Starter

    Joined:
    2009/08/23
    Messages:
    50
    Likes Received:
    0
    Happy New Year!
     
    Stefan B,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...